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Abstract 

We investigate the definition of security for encryption scheme in quantum 
context. We systematically define the indistinguishability and semantic se¬ 
curity for quantum public-key and private-key encryption schemes, and for 
computational security, physical security and information-theoretic security. 
Based on our definition, we present a necessary and sufficient condition that 
leads to information-theoretic indistinguishability for quantum encryption 
scheme. The equivalence between the indistinguishability and semantic se¬ 
curity of quantum encryption scheme is also proved. 
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1. Introduction 

The definition of security for encryption scheme is an important area of 
cryptography. Up till now, both the quantum public-key encryption BBS 
SB an d quantum private-key encryption BBS h as been carried out. Here 
we investigate the indistinguishability and semantic security into quantum 
context which would be useful for analysis the security of quantum encryption 
schemes. 

In our previous work, we have already shown the definition of the in¬ 
distinguishability for quantum public-key encryption scheme B, for quan¬ 
tum private-key encryption scheme [IS ,and for quantum bit commitment 
scheme and have presented a necessary and sufficient condition leads to 
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this security [ill]. Here we will systematically define the indistinguishabil- 
ity and semantic security for quantum public-key and private-key encryption 
schemes, and for computational security, physical security and information- 
theoretic security. 

The quantum parameters are continuous variable. In order to give the def¬ 
inition of indistinguishability for quantum encryption scheme, we first give a 
definition of indistinguishability for encryption scheme with continuous vari¬ 
able based on probability density function, and a definition of indistinguisha¬ 
bility based on multi-circuits. We show that these definitions are equivalent. 
Then we prove that the indistinguishability based on multi-circuits is equiv¬ 
alent to ordinary indistinguishability with single-circuit. Then we get the 
definition of indistinguishability for quantum encryption scheme. Similarly 
we define the semantic security. 

The equivalence between computational indistinguishability and semantic 
security for classical encryption scheme is already proved, but the equivalence 
for information-theoretic ones is still an open problem. For public-key encryp¬ 
tion scheme, there is no information-theoretically secure classical public-key 
encryption scheme, so we discuss the equivalence between computational in¬ 
distinguishability and semantic security for quantum encryption scheme and 
between information-theoretic ones. About private-key encryption scheme, 
the equivalence between computational indistinguishability and semantic se¬ 
curity for quantum encryption scheme and between information-theoretic 
ones for classical and quantum encryption schemes all are discussed. 


2. Preliminaries 


The definitions of indistinguishability and semantic security were firstly 
presented by S. Goldwasser and S. Milcalijl^, 13], then Goldrich[li| devel¬ 
oped these definitions and classify defined the indistinguishability and se¬ 
mantic security with different conditions. 


2.1. Indistingirishability 

The indistinguishability for private-key encryption scheme is: 

Definition 1 . (indistinguishability for private-key encryption scheme): A 
private-key encryption scheme, ( G,E,D ), is said to be an indistinguishable 
scheme if for every polynomial-size circuit family {C n }, every positive poly¬ 
nomial p[-\ all sufficiently large n, and every x, y G {0, l} Po ^ n ) ? 
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( 1 ) 


|Pr[C„(£ G i(i™)(a;)) = 1] - Pr [C n (E Gl{ln) (y)) = 1]| < 


p(n ) 


For public-key encryption scheme, the indistinguishability is dehned as: 


Definition 2. (indistinguishability for public-key encryption scheme): A 
public-key encryption scheme, ( G,E,D ), is said to be an indistinguishable 
scheme if for every polynomial-size circuit family { C n }, every positive poly¬ 
nomial p{-), all sufficiently large n, and every x, y £ {0,1 


|Pr[C n (G 1 (l”),£ Gl(1 „ ) W) = 1] -Pr[C„(G,(l"), E Gl (,„)(»)) = 1] | < -L (2) 

These definitions are based on computational security, if the inequalities 
are satisfied for every circuit family {C n } instead of for every polynomial-size 
circuit family {Cn}, we gains the definitions based on information-theoretic 
security. 

2.2. Semantic security 

The semantic security for private-key encryption scheme is shown as: 

Definition 3. (semantic security for private-key encryption scheme): 

A private-key encryption scheme, (G,E,D), is said to be semantically 
secure if for every probabilistic polynomial-time algorithm A there exists a 
probabilistic polynomial-time algorithm A' such that for every probability en¬ 
semble {A" n }neN; with |A n | < poly(n), every pair of polynomially bounded 
functions /(•), h(-): {0,1}* — > {0,1}*, every positive polynomial p(-) and all 
sufficiently large n, 

Pr[A(l n , £ Gl(1 n)(An), l |Xn| , h(l n , X n )) = /( l n ,X n )} 

< Pr[A'(l n , l\ x ”\,h(l n , An)) = f(l n , X n ) + -L (3) 

p[n) 

For public-key encryption scheme, it is: 

Definition 4. (indistinguishability for public-key encryption scheme): 

A public-key encryption scheme, (G,E,D), is said to be semantically se¬ 
cure if for every probabilistic polynomial-time algorithm A there exists a prob¬ 
abilistic polynomial-time algorithm A' such that for every {X n } neN ,f(-), h(-)p(-) 
and n as in Definition 0, 
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( 4 ) 


< 


Pr[A(ifGfi n ),E G p ln) (x n ),i^,h(i n ,x n )) = /( i n ,x n )\ 

Pr[A'(l n ,l^,h(l n ,X n )) 

/( i",x b ) + 4t- 

p[n) 


Similarly, These definitions are based on computational security, if the 
inequalities are satisfied that for every algorithm A there exists a probabilistic 
algorithm A' instead of for every polynomial-time algorithm A there exists 
a probabilistic polynomial-time algorithm A', we gains the definitions based 
on information-theoretic security. 


3. Indistinguishability for quantum encryption scheme 

Firstly, we discuss the indistinguishability of quantum private-key en¬ 
cryption scheme based on that of classical private-key encryption scheme. 

3.1. Indistinguishability based on probability density function 

As the quantum information is continuous character, if we want to de¬ 
fine the indistinguishability of quantum encryption scheme, firstly we should 
present the indistinguishability of continuous variable. It must depend on the 
probability density function, so we give the C-indistinguishability of classical 
information as follow: 

Definition 5. If the plaintext is continuous variable, let the probability den¬ 
sity function of plaintext space P is q{x), which is a continuous function. A 
private-key encryption scheme, (G,E,D), is said to be a C-indistinguishable 
scheme if it satisfies the condition as follow: for every polynomial-size cir¬ 
cuit families {C n }, every positive polynomial p(-), all sufficiently large n, and 
every x,y G P, 


PT[C n (E G ,w(z)) = 1] -Pr[C n (B Gl(1 . l ( ! /)) = 1]| < -P (5) 


3.2. Indistinguishability based on multi-circuits 

Then we show a definition of indistinguishability based on multi-circuits 
as follow: 
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Definition 6. A private-key encryption scheme, ( G,E,D), is said to be a 
M-indistinguishable scheme if for every polynomial-size circuit families {Cfi}, 
here i = 1 , 2 • • • , m, every positive polynomial pfi-), all sufficiently large n, 
and every Xi,yi G {0,1 } p °M n ) ; 

IPrKtSc.^jtz,)) = 1] - = 1]| < 

Pi [n) 

|PrK(S G , (1 »)(x 2 )) = 1] - Pr[C?(S Gl(1 .)M) = 1]| < 

|Pr[CT(SG M( i")(^)) = 1] - Pr[Cr(B 0l( ,»)(!/„)) = Ill <—U- (6) 

Pmy *7 


3.3. Equivalence of the definitions 

Based on above definitions of indistinguishability, we will prove that they 
are all equivalence. The proofs in this section are all based on definitions of 
computational security. 

Lemma 1. If a private-key encryption scheme is said to be a M-indistinguishable 
scheme if and only if it is an indistinguishable scheme. 

Proof. For both sufficiency and necessity, we can prove with reduction 
to absurdity. Here we prove the sufficiency for example: 

If the scheme is not M-indistinguishable, there must exist at least a 
polynomial-size circuit family {C*}, a positive polynomial Pi(-), and Xi,yi G 
{0,1 } Pc h/( n ) ; which lead to that for all sufficiently large n 

|Pr[C‘(S G ,(,»,(*,)) = 1] - Pr[C„(B G i (1 .,(<*)) = 1]| > -j-. (7) 


Therefore, if we let {C n } = {C*}, p(-) = Pi(-), x = Xi,y = y l , we can get: 


|Pr[C„(£ Gl( i.)(l)) = 1] - Pr[C n (B Gl „■)(!,)) = 1]| > (8) 

for all sufficiently large n, which means this scheme is not indistinguishable. 
Thus the sufficiency is proved. 

Similarly, we can use prove the necessity. □ 
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Lemma 2. If a private-key encryption scheme with continuous plaintext is 
said to be a C-indistinguishable scheme if it is a indistinguishable scheme. 


Proof. Assume the scheme is not a C-indistinguishable scheme, there 
must exist x,y G P, which satisfy that for all sufficiently large n, every 
polynomial-size circuit families {C n }, every positive polynomial p(-): 


Pr[C n (£ Gl(1 n)(a;)) = 1] - Pr[C n (£ Gl(1 n } (y)) = 1]| > —(9) 


Let n o = max{\x\, |?/|}, here |x| is the length of x, and let n > no, we can get 
that: there exist x, y G {0, 1 } Po(, j( n ), which satisfy that for all sufficiently large 
n, every polynomial-size circuit families { C n }, every positive polynomial p(-): 



( 10 ) 


This reaches a contradiction to the hypothesis that the scheme is a indis¬ 
tinguishable scheme. Thus the lemma follows. □ 

The equivalence of these definitions is almost proved except the necessity 
of lemmaj2j we planed to complete this side via the definition based on multi¬ 
circuits, but it has not worked out yet, so it is still a conjecture. 

Conjecture 1. If a private-key encryption scheme with continuous plain¬ 
text is said to be a C-indistinguishable scheme if and only if it is a M- 
indistinguishable scheme. 

3 . 4 . Indistinguishability for guantum encryption scheme 

As the indistinguishability of classical private-key encryption scheme can 
lead to that of continuous variable, We suggest here a definition of information- 
theoretic indistinguishability for quantum private-key encryption scheme as 
follow: 

Definition 7. A quantum private-key encryption scheme is information- 
theoretically indistinguishable if for every quantum circuit family {C n }, every 
positive polynomial p(-), all sufficiently large n’s, and every x, y G {0,1}: 



( 11 ) 


where the encryption algorithm E should be a quantum algorithm, and the 
ciphertext E(x), E(y) are quantum states. 
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Similarly, for quantum public-key encryption scheme, the information- 
theoretic indistinguishability is shown as: 

Definition 8. A quantum public-key encryption scheme is information- 
theoretically indistinguishable if for every quantum circuit family {C n }, every 
positive polynomial p(-), all sufficiently large n’s, and every x, y in plaintext 
space: 

Pr [C n (G(r),E G{ln) (x) = 1] - Pr [C n (G(l n ), E G{in) (y) = 1]| < -L, (12) 

where the encryption algorithm E should be a quantum algorithm, and the 
ciphertext E(x), E(y) are quantum states. 

In classical context, the security is defined under two conditions, here the 
quantum definitions can be classified by three different conditions: 

1. As defined above, we get the definitions of information-theoretic indis¬ 
tinguishability. 

2. If the inequalities are satisfied for polynomial-size quantum circuit fam¬ 
ily {C n } instead of for every circuit family {C n }, it results the defini¬ 
tions of computational indistinguishability. 

3. If the inequalities are satisfied for specifical exponential-size quantum 
circuit family { C n } it results the definitions of physical indistinguisha¬ 
bility, here the size is determined by the protocol. 

The physical security we presented here means that even it may be not 
information-theoretical secure, the way to attack is unable to realize limited 
to the objective physical conditions. 

3.5. The necessary and sufficient condition for information-theoretic indis¬ 
tinguishability 

Here we present the sufficient and necessary condition of the information- 
theoretic indistinguishability for quantum private-key encryption scheme as 
follow: 

Theorem 1. For every plaintexts x and y and key k, let the density oper¬ 
ators of cipher states YlkP^Ek^x) and ^2 k PkEk(y) are p x and p y , respec¬ 
tively. A quantum private-key encryption scheme is said to be information- 
theoretically indistinguishable if for every positive polynomial p(-) and every 
sufficiently large n, 
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(13) 


D(p x , Py) < 


p(n ) 


Proof. For every quantum circuit family {C n }, 

Pv[C n {E G ^)(x)) = 1 ] 

= ^Pk ■ Pr [C n (E k (x) 0 a) = 1] 

k 

= Pr [C n C^p k E k (x) 0 a) = 1] 

k 

= Yi[C n (p x 0 a) = 1], 

where a is the density operator of service bits of C n . 
Similarly, 


(14) 


Vi[C n (E G{l n){y)) = 1] = Pr [C n (p y 0 a) = 1], (15) 

Any quantum circuit family C n built for distinguishing two density opera¬ 
tors corresponds to a set of positive operator-values measure (POVM) {E m }. 
Define p m = Tr (C n {p x 0 a)E m ), q m = Tr (C n (p y 0 a)E m ) the probabilities of 
measurement outcomes labeled by m. In this case, we have: 

Pr [C n (p x 0 cr) = 1] - Pr [C n (p y ® cr) = 1] 

< max - E |Tr [E m (C n (p x 0 cr) - C n (p y 0 a))] 

{Em} £ 

m 

= ma xD(p m ,q m ). (16) 

{Em} 

The last formula is equal to 

D(C n (p x 0 cr), C n (p y 0 cr)) < D(p x 0 a, p y 0 a) = D(p x , p y ) < . (17) 

p[n) 

Hence, according to the Definition [71 the theorem follows. □ 

For quantum public-key encryption scheme, we also have a theorem: 

Theorem 2. For every plaintexts x and y and public-key k, let the density 
operators of cipher states ^2 k pkEk(x) and^2 k pkEk(y) are p x and p y , respec¬ 
tively. A quantum private-key encryption scheme is said to be information- 
theoretically indistinguishable if for every positive polynomial p(-) and every 
sufficiently large n, 
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(18) 


the proof for quantum public-key encryption scheme is similar to the 
above. 

4. Semantic security for quantum encryption scheme 

The semantic security for quantum encryption scheme means that what¬ 
ever can be efficiently computed from the ciphertext can be efficiently com¬ 
puted when given only the length of plaintext. For quantum private-key 
encryption scheme it turns out as: 

Definition 9. A quantum private-key encryption scheme is semantically se¬ 
cure if for every quantum algorithm A there exist a quantum algorithm A', 
such that for for every probability ensemble {X n } ne N ; with \X n \ < poly(n), 
every quantum bounded functions f,h, positive polynomial p(-), all suffi¬ 
ciently large n: 


Pr [A(l n , E Gl[ln) {X n ), l'H h(l n , X n )) 
/( l n ,X n )\ < Pr[A'(l n ,l^,h(l n ,X n )) 



(19) 


where the encryption algorithm E should be a quantum algorithm, and both 
algorithms and functions are output 0 or 1. 

Note that here the probability function Pr include more parts than that 
within classical definitions, besides the probability distribution of G , X n , A, 
A !, here as the quantum algorithms and functions are both output classical 
information, the function Pr should include the probability of collapse. 

Similarly we can get the definition for quantum public-key encryption 
scheme: 

Definition 10. A quantum public-key encryption scheme, ( G,E,D), is said 
to be semantically secure if for every quantum algorithm A there exists a 
quantum algorithm A' such that for every {X n } n& ^,f(-), h(-)p(-) and n as in 
Definition 0 


Pr[ki(r,G 1 (r),E Gl( 1 .)(x n ),ii^i,/r(r,x n )) = f(r,x n )] 

< Pr[A\r,l lXn \,h(r,X n )) 



( 20 ) 
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where the encryption algorithm E should be a quantum algorithm, and both 
algorithms and functions are output 0 or 1. 

As aforementioned, the semantic security can also be classified by three 
different conditions: 

1. As defined above, we get the definitions of information-theoretic se¬ 
mantic security. 

2. If the inequalities are satisfied while A and A' are bounded with polynomial¬ 
time, it results the definitions of computational semantic security. 

3. If the inequalities are satisfied while A and A 1 are bounded with specif- 
ical exponential-time, it results the definitions of physical semantic se¬ 
curity, here the size is determined by the protocol. 

5. Equivalence of the security definitions 

Firstly, we state and prove the following theorem for quantum private- 
key encryption scheme with computational security. The similar results hold 
for quantum public-key encryption schemes and for quantum private-key 
encryption scheme with information-theoretic security. 

Theorem 3. A quantum private-key encryption scheme is semantically se¬ 
cure if and only if it is indistinguishable. 

Proof. 

1. ”indistinguishability” implies ’’semantic security”. 

Firstly, As the scheme is indistinguishable, for every C n ,p(-), x,n as in 
DefJTjand y = lH, we can get the following inequality: 


Pr[C n (E G( in)(x)) = 1] - Pr[C n (E G{ln) (l^)) = 1] 


1 

p(n) ’ 


( 21 ) 


Then we construct the quantum algorithm A' as follow: The quan¬ 
tum algorithm A' performs essentially while replace the input X n of 
algorithm A with \\ x n\_ 

To simplify the notations, let h n (x) = h(l n ,x), f n (x) = /( l n ,:r), 
A n (x) = A{l n ,x) and omit lA«l from the inputs given to A, then 
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using the construction of A' we get: 


Vr[A(l n ,E Gl{in) (X n )^ x "\,h{l n iX n )) = /( l n ,X n )} 


Pr [A n (E Gl{ln) (X n ),h n (X n )) = f n (X n )}- 

Pv[A\i n ,i^,h(r,x n )) = f(r,x n )} 

Pr[A n (E Gl{ln) (l^),h n (X n )) = f n {X n )]- 


( 22 ) 


For every string x n G {X n }, the values f n (x n ), h n (x n ) are hxed, then we 
construct a quantum circuit C n as follow: on input x n , the circuit C n 
invokes A n (E Gl (inAx n ), h n (x n j) and outputs 1 while A n outputs f n (x n ), 
otherwise, C n outputs 0. This circuit is indeed of polynomial size be¬ 
cause f n (x n ) and g n {x n ) are polynomial length and A is a polynomial 
time quantum algorithm. 

Thus we can get: 


Pr[C n (E G( in ) (n)) = 1] = Pr[A n (E Gl{1 n)(X n ),h n (X n )) = f n (X n )]; (23) 


Proof by contradiction, if the scheme is not semantically secure, then 
for every A' 


Pr[A(l n ,E Gl{ln) (X n ),l^,h(l n ,X n )) = f(l n ,X n )] 
> Pr[kF(l n , 1 A n| , h(l n , X n )) 


= /(r\ x n )] + ^-, 

p[n) 


(24) 


which is equivalent to that: 


Pr[C„(B G(1 »)(i)) = 1] - PrlCUBcdyi' 1 ')) = 1] > X 


(25) 


this contradicts InEq. ([26]h so the sufficiency follows. □ 

2. ’’semantic security” implies ”indistinguishability”. 

Also proof by contradiction, if the scheme is not indistinguishable, we 
can assume that there exists a polynomial p(-) and a polynomial-size 
circuit family {C n }, such that for infinitely many n’s there exist x n , y n G 
{0,1 so that: 



11 







Then we define X n is uniformly distributed over {x n ,y n }, define 
f(l n ,X n ) = 1 while X n = x n and equals 0 while X n = y n with both 
probability 1/2, and define h(l n , X n ) equals the description of the cir¬ 
cuit C n while it reveals no information on the value of X n . 

Here we present a polynomial-time quantum algorithm A that, it re¬ 
covers C n = h(l n ,X n ), takes E G (v^){x n ) as input, and outputs what C n 
outputs. 

Thus we can get: 


Pr[A(l n , E Gl ^n)(X n ), l |Xn| , h{l n i X n )) = /( l n ,X n )] 
= yPv[A(r,E Gl{ln) (x n ),l^,C n ) = l} 

+±-Pr[A(l n ,E Gl{ln) (y n ),l^,C n ) = 0] 

1 1 

> 2 2 p{n) 


(27) 


In contrast, while the input values l n , l\ Xn \ and h(l n ,X n ) are indepen¬ 
dent of the random variable f(l n ,X n ), A' can not output f(l n ,X n ) 
with success probability above 1/2, so we get: 


Pr[A'(l n ,l^,h(r,X n )) = f(l n ,X n )] < 1 (28) 

Combining InEqs. fl27]l .f[28 |l . we reach a contradiction to the hypothesis 
that the scheme is semantically secure. Thus the necessity follows. □ 
As both sides of the theorem are proved, the theorem is proven. ■ 


6. Conclusions 

In this paper we suggest definitions of indistinguishability and sematic 
security for quantum encryption schemes with information-theoretic secu¬ 
rity, physical security and commotional security. We show that a necessary 
and sufficient condition leads to information-theoretic indistinguishability, 
which is useful for proving this security. We proved the equivalence between 
the indistinguishability and semantic security with computational security of 
quantum encryption schemes, the other equivalence is also hold with similar 
proof. 
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